07-04-2008 12:45 PM - edited 07-03-2021 04:07 PM
Hi all,
I have a WiFi environment with a WDS AP (local RADIUS) and about 10 infrastructure AP's. The WDS does LEAP authentication/fast roaming for the 7921G phones.
Now I have to build up a new SSID/VLAN with 802.1x/PEAP/MS-CHAP V2 (on IAS) authentication.
Unfortunately, each infrastructure AP can authenticate the client only when wlccp is deactivated.
Is there a way to use the WDS/LEAP as a local raduis and send Infrustucture authentications to it, but still send user authentications to the IAS?
The 7921G can't be authenticated on the IAS (security issue).
Thanks,
Norbert
07-07-2008 03:33 AM
Hi Norbert,
WDS certainly does support PEAP-MSCHAPv2, so I'd suggest it's just a case of troubleshooting the setup until you get it all working. A few references you may find useful...
07-07-2008 07:27 AM
Hi,
Thanks for the reply. I've found the "hint".
On the WDS-AP (IAS is 192.168.1.3):
-----------------------------------
aaa group server radius GRP-DOT1x
server 192.168.1.3 auth-port 1645 acct-port 1646
aaa authentication login method_GRP-DOT1x group GRP-DOT1x
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7 00xxxxx
wlccp authentication-server client eap method_GRP-DOT1x
ssid vlanfordot1x
On the infrastructure AP:
-------------------------
aaa group server radius GRP-DOT1x
server 192.168.1.3 auth-port 1645 acct-port 1646
aaa authentication login method_GRP-DOT1x group GRP-DOT1x
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7 00xxxxx
dot11 ssid vlanfordot1x
vlan 10
authentication open eap method_GRP-DOT1x
authentication network-eap method_GRP-DOT1x
interface Dot11Radio0
ssid vlanfordot1x
encryption vlan 10 mode wep mandatory
wlccp authentication-server client eap method_GRP-DOT1x
07-09-2008 06:58 PM
Hi, I have found this
Note By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-on
http://www.cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43auth.html
07-09-2008 10:46 PM
Nice! 5 points.
06-09-2010 12:07 AM
I use:
interface Dot11Radio0
no ip address
ip access-group 100 in
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 210 mode ciphers aes-ccm (important feature)
will it work if I config WDS with IAS as I can see above ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide